Skip to main content
Case studyFortune 100: 80% less compliance workRead the Story
RiskWatch

For B2B SaaS + Service Organizations + Multi-Product CSPs

SOC 2 compliance software that gets the security questionnaire out of your deal's way.

The enterprise deal is ready to close, then their procurement team asks for your current report and a stack of security questionnaires, and the deal stalls for weeks while you chase evidence. More than 90% of enterprise buyers now require a current report before they sign. Most SaaS teams keep that proof scattered across binders, spreadsheets, and an auditor's email thread, and rebuild it from scratch every cycle. RiskWatch runs it as one program: assess every product against one control library, keep the evidence audit-ready year round, and answer the buyer's questionnaire in days, not weeks.

Trusted by B2B SaaS, multi-product CSPs, and enterprise service organizations managing SOC 2 Type II + ISO 27001 dual surveillance, multi-product carve-out scoping, the CUEC ecosystem, and 380+ enterprise customer audits across cloud, AI, and platform-as-a-service categories.

BoseTE ConnectivityAonHalexNetAccessJohnson & Johnson
4.7G2 Crowd·120+
4.7Capterra·80+
4.6Gartner Peer Insights·60+

Why VPs of Trust + Security Pick RiskWatch

RiskWatch keeps you audit-ready year round, not just at crunch time.

RiskWatch gives one team a single program covering every product, every customer review, and every audit cycle. Score a control once and it answers your auditor, your ISO 27001 surveillance, and the buyer's security questionnaire at the same time, so you stop rebuilding the same proof in three formats. When the next enterprise deal asks for evidence, it is already there, no enterprise-bank GRC overhead to produce it.

One control, every framework the buyer asks for

Answer a control once and it satisfies your report, your ISO 27001 surveillance, and the questionnaires buyers send, so you stop maintaining the same proof in parallel binders. (SOC 2 Type I and Type II, ISO 27001:2022 Annex A with its 93 controls, NIST CSF 2.0, CSA STAR, and SIG Lite + Core share one evidence library.)

Catch the gap before the auditor does

See which customers still owe their control attestations, and which gaps would stall the report, before the auditor flags them. (The CUEC tracker shows which customers have attested to which Complementary User Entity Controls across Type I point-in-time and Type II 6-to-12-month operating-effectiveness windows.)

Every product on one report

Run each product's posture on its own, then roll the whole company up to one consolidated report. Built for multi-product SaaS. (Sub-service organization carve-out vs inclusive method tracked. Live in 30 days, not 6 months.)

The SOC 2 Attestation Landscape

SOC 2 Type II is the de-facto B2B SaaS audit. The numbers prove it.

More than 90% of enterprise procurement reviews require a current SOC 2 Type II. The 2017 Trust Services Criteria revision (still current) added the 'Common Criteria' framework + Additional Criteria for Availability / Processing Integrity / Confidentiality / Privacy. The 2022 AICPA Description Criteria DC-200 update aligned SOC 2 reporting with COSO ERM. ISO 42001:2023 (AI management) is becoming the SOC 2 add-on of choice for AI-native SaaS. The CUEC ecosystem keeps growing as customers cite missing CUEC attestations as audit-blocking findings.

5 TSC
Trust Services Criteria, Security · Availability · Processing Integrity · Confidentiality · Privacy
Type II
Operating-effectiveness attestation over 6-12 months, the enterprise default
DC-200
AICPA Description Criteria 2022, aligned to COSO ERM
CUEC
Complementary User Entity Controls, customer-side controls SOC 2 reports require

Three Domains, One Platform

SOC 2 risk lives in three concrete domains

RiskWatch covers all three. Each domain has a dedicated workflow, scoring model, and remediation queue. They share data so a single TSC assessment satisfies the SOC 2 Common Criteria, the relevant Additional Criteria, the corresponding ISO 27001 Annex A control, and the NIST CSF 2.0 mapping simultaneously.

Risk

Service + Vendor + Sub-service Risk

Survey-based risk assessment across service organization, vendor TPRM, and sub-service organization carve-out / inclusive scoping.

  • Sub-service org register live
  • Vendor TPRM integrated
  • Risk register tied to TSC
Explore Risk Management
Compliance

Common + Add-on + TSC

Common Criteria, Additional Criteria, the 5 Trust Services Criteria, and the cross-mapped ISO + NIST + CSA STAR libraries.

  • All 5 TSC pre-loaded
  • ISO 27001 cross-mapped
  • DC-200 description ready
Explore Compliance Management
Validation

Type I + Type II + CUEC

Type I point-in-time, Type II operating-effectiveness, and the CUEC customer-attestation ecosystem tracked in one place.

  • Type II evidence vault live
  • CUEC tracker integrated
  • Auditor portal ready
Explore Cybersecurity

SOC 2 Type II · CUEC Spotlight

Without CUEC attestations, the auditor's opinion is meaningless.

Complementary User Entity Controls, user-access provisioning, annual access reviews, BYOK key rotation, audit-log review, MFA enforcement, are the controls SOC 2 reports require customersto perform. When customers don't actually perform them, the report is audit-meaningless. The CUEC tracker shows which customers have attested to which CUECs, surfaces gaps before the auditor finds them, and routes missing attestations back into the trust-portal workflow.

SOC 2 Type 2 · CUEC tracker
Complementary User Entity Controls · 6 CUECs · 47 customers
Customer attestation status · auditor-visible
CUEC-1User access provisioning + termination per contract
47/47
attested
CUEC-2Annual access review of customer admin users
41/47
attested
CUEC-3Encryption key rotation (BYOK customers only)
9/12
attested
CUEC-4Audit log review for customer-initiated actions
23/47
attested
CUEC-5Incident reporting within agreed-upon SLA
47/47
attested
CUEC-6MFA enforcement for customer admin users
45/47
attested
Annual customer attestation cycle · auto-renewedType 2 report stops being theatre.

The Coverage Gap

Most SOC 2 software covers one TSC

Compliance automation tools handle Security TSC. Vendor risk platforms cover sub-service orgs. Audit-prep specialty handles document collection. Each does one job. VPs of Trust still operate four parallel programs across products, customers, and audit cycles.

Platform CategoryTSCType IType IICUECCross-mappingMulti-product
Compliance AutomationDrata, Vanta, SecureframeYesYesYesPartialPartialPartial
Generic GRCServiceNow GRC, ArcherPartialPartialPartialPartialPartialPartial
Audit-Prep SpecialtyAuditBoard, WorkivaPartialPartialYes·YesPartial
Vendor Risk ToolsOneTrust VRM, ProcessUnity···Partial·Partial
ISO 27001 SpecialtyBSI Connect, Conformio····Yes·
Spreadsheets & Email······
RiskWatchThe unified auditor-ready platformYesYesYesYesYesYes

RiskWatch is the only platform covering all six SOC 2 compliance domains: Trust Services Criteria, Type I, Type II, the CUEC ecosystem, ISO 27001 + NIST CSF cross-mapping, and multi-product coordination. Compliance automation handles security TSC. Audit-prep tools handle documents. Vendor risk handles sub-services. Each does one job. RiskWatch unifies all six in one survey-based assessment workflow.

How It Works

One platform. Continuous compliance across every TSC + framework.

RiskWatch is a survey-based assessment platform. The work is structured around questionnaires that capture Trust Services Criteria posture, control implementation, and CUEC attestations in a consistent format, then scored against every framework you align to.

For SOC 2, that workflow runs continuously across the 5 TSC, Type I + Type II evidence, the CUEC ecosystem, sub-service org scoping, ISO 27001:2022, NIST CSF 2.0, CSA STAR, SIG, and HITRUST. A single TSC control assessment scores against the SOC 2 Common Criteria, the corresponding ISO 27001 Annex A control, the NIST CSF mapping, and the customer SIG response simultaneously.

The same platform runs all of it, surfaces gaps before auditor arrival, assigns remediation owners, and tracks completion. Replace the compliance-automation tool, the GRC platform, the vendor portal, and the customer-audit response binder between them.

The Workflow

  1. 01
    Scope
    Trust Services Criteria selected. Sub-service org carve-out / inclusive method documented. System description per DC-200 captured. CUEC inventory built.
  2. 02
    Score
    Responses score against the 5 TSC, Common Criteria + Additional Criteria, ISO 27001:2022 Annex A, NIST CSF 2.0, CSA STAR, SIG Lite + Core, and HITRUST CSF.
  3. 03
    Remediate
    Gaps become assigned tasks. Owners get deadlines. Vendor + sub-service-org + 3rd-party tasks cascade to the supplier portal automatically. CUEC notifications sent to customers.
  4. 04
    Attest
    Evidence trails export to Type I (point-in-time) or Type II (operating-effectiveness) auditor formats. ISO 27001 surveillance package ready. Customer SIG responses generated.
TSCType IICUECISO 27001Customer Audit

Built For Your Role

Who uses RiskWatch in a B2B SaaS or service organization

VP Trust + Security

Owns enterprise trust posture, multi-framework attestation strategy, and the customer-facing security program for 380+ enterprise customers.

SOC 2 Type II + ISO 27001 dual surveillance live. Customer-facing trust portal continuous. Customer SIG response time tracked.

Director of Compliance

Owns the SOC 2 audit cycle, ISO 27001 surveillance, CSA STAR submission, and the cross-framework control mapping.

Type II evidence vault live. ISO 27001 Annex A mapped. CSA STAR submission ready. Cross-framework gaps surfaced.

Head of Information Security

Owns the technical Security TSC controls, threat modeling, vulnerability management, and the CC6 / CC7 / CC8 control families.

All Security TSC controls scored. CC6/7/8 evidence captured. Vulnerability tracking integrated. Pen-test cycle continuous.

Customer Success / Trust Lead

Owns the customer-facing trust portal, the SOC 2 report distribution + customer audit responses, and CUEC attestation.

Trust portal live. Customer SIG + CAIQ + custom-questionnaire responses generated. CUEC tracker shows attested vs missing.

Privacy Officer

Owns the Privacy TSC additional criteria, GDPR + CCPA cross-mapping, and DPA / customer-data-processing addendum tracking.

Privacy TSC controls scored. GDPR + CCPA cross-walked. DPA register live. Customer data subject requests tracked.

Audit + Risk Lead

Owns internal audit cycles, COSO ERM mapping per DC-200, sub-service organization risk, and the residual-risk register.

Internal audit cycle continuous. DC-200 description ready. Sub-service org register live. Residual risk register tied to TSCs.

Built For Your Segment

SOC 2 segments we serve

B2B SaaS Platforms

Enterprise B2B SaaS running multi-product Type II + ISO 27001 dual surveillance with 100+ enterprise customers conducting their own audits.

Multi-Product CSPs

Multi-product cloud service providers running per-product Type II with consolidated reporting + sub-service org carve-out / inclusive method scoping.

AI-Native + ML Platforms

AI-native SaaS adding ISO 42001:2023 AI management as the SOC 2 add-on, with model-governance + responsible-AI controls in scope.

Fintech + Embedded Finance

Fintech and embedded-finance platforms running SOC 2 alongside SOC 1 ICFR, PCI DSS, and state lending licenses.

Healthcare SaaS + HealthTech

HealthTech running SOC 2 + HIPAA + HITRUST CSF, with the BAA cascade and PHI flows in scope alongside the standard TSCs.

Service Organizations

Outsourced HR, payroll, billing, customer service, and managed-services providers running SOC 2 for client procurement diligence.

Frameworks We Cover

SOC 2 frameworks built into the library

RiskWatch ships with pre-built libraries for every major attestation + assurance + cross-mapped framework. Map controls once. Score against the framework that matters this audit cycle.

Regulatory + AICPA Frameworks

AICPA SOC 2 TSC
Trust Services Criteria, Security (Common Criteria), Availability, Processing Integrity, Confidentiality, Privacy (Additional Criteria).
SSAE 18
AICPA Statement on Standards for Attestation Engagements, the attestation framework SOC 2 reports follow.
SOC 1
Internal Control over Financial Reporting (ICFR) attestation for service organizations affecting customer financial reporting.
SOC 3
General-use trust report, SOC 2-equivalent assertions distributed publicly without restricted-use language.
AICPA DC-200
2022 Description Criteria for service-organization controls, aligned to COSO ERM and the updated SOC reporting framework.
AICPA SOC for Cybersecurity
Entity-level cybersecurity risk-management examination, separate from SOC 2 but cross-evidenced.

Industry + Cross-Mapped Frameworks

ISO 27001:2022
ISMS standard with the 2022 Annex A (93 controls), the international counterpart, dual-surveillance default.
NIST CSF 2.0
Cybersecurity Framework 2.0 (Feb 2024), outcome-based mapping of every TSC control to Govern / Identify / Protect / Detect / Respond / Recover.
CSA STAR
Cloud Security Alliance STAR self-assessment + certification, CAIQ + CCM cross-walked to TSCs.
SIG Lite + Core
Shared Assessments Standardized Information Gathering questionnaires, customer-audit response evidence.
HITRUST CSF
Health-industry common-security framework, cross-mapped for SaaS serving healthcare customers requiring HITRUST.
ISO 42001:2023
AI Management System standard, the SOC 2 add-on of choice for AI-native SaaS.

Trusted by 500+ risk and compliance teams

Aon
Bose
The Coca-Cola Company
Iberdrola USA
Johnson & Johnson
Pfizer
Puma North America
SeaWorld Entertainment
TE Connectivity
Aon
Bose
The Coca-Cola Company
Iberdrola USA
Johnson & Johnson
Pfizer
Puma North America
SeaWorld Entertainment
TE Connectivity
We were running SOC 2 in Drata, ISO 27001 in a separate spreadsheet, the customer trust portal in a third tool, and CUEC tracking in Notion. Now it's one platform. Type II evidence, ISO 27001 Annex A mapping, the CUEC tracker, and customer SIG responses all run from the same evidence vault. Our last Type II audit closed with two findings instead of nine, and we cut customer-audit response time from 11 days to 2.
G. Magaki
VP Trust + Security, B2B SaaS company · 1,400 employees · SOC 2 Type II + ISO 27001 dual surveillance · 380+ enterprise customers
4 → 1tools consolidated to one platform
9 → 2Type II findings on most recent audit
11 → 2 dayscustomer SIG response time reduced
FAQ

Frequently asked questions

Type II · TSC · CUEC-ready

See RiskWatch run a SOC 2 Type II + ISO 27001 cycle live

30-minute walkthrough of the SOC 2 library, your product + customer + sub-service-org inputs, and the auditor-ready evidence-trail output. No slideware, no consulting upsell.

Or call US: +1 941-500-4525

Request a Demo